CODEWITHSUNDEEP
c#
Jonathan Beerhalter
Jonathan Beerhalter

Reputation: 7407

What does PrincipalContext.ValidateCredentials return true for blank passwords?

We have a login box for our app that asks the user to enter their AD credentials. We take those credentials and then call

    using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain, container, ContextOptions.SimpleBind))
    {
        return pc.ValidateCredentials(domain + @"\" + username, password, ContextOptions.SimpleBind);
    }

to validate that they've entered a valid login/password pair. What we found out though, was that the call to ValidateCredentials will return true with a blank password, and we have no idea why. An invalid password returns false, but blank will return true as long as the username is correct.

Upvotes: 3

Views: 6969

Answers (1)

Brian Green
Brian Green

Reputation: 567

From MSDN http://msdn.microsoft.com/en-us/library/bb154889.aspx

The ValidateCredentials method binds to the server specified in the constructor. If the username and password parameters are null, the credentials specified in the constructor are validated. If no credential were specified in the constructor, and the username and password parameters are null, this method validates the default credentials for the current principal.

In the PrincipalContext constructor you could specify the credentials you want to check as well.

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain, 
                       container, ContextOptions.SimpleBind, username, password))
{
    return pc.ValidateCredentials(domain + @"\" + username, password,
                                   ContextOptions.SimpleBind);
}

Upvotes: 4

Related Questions